Thoughts on business and business software

Posts tagged "Task Access Control List"

Recently, I had an interesting discussion with a customer representative regarding the nature of LiveCycle Process Management ES2 and the use of shared queues. Specifically, the issue came down to a misunderstanding of how the Assign Task Operation’s Task Access Control List (ACL) parameters effected who could see items in a user’s shared queue.

With the help of Chantal Richard and Jasmin Charbonneau, I learned a lot more about what these parameters do. I though it would be a good idea to share the information in case others are as confused as I was.

Say we have a task that is assigned to a user. The particular user is decided at runtime based on some process data. The Task Access Control List (ACL) provides restrictions on what that user can do with the task. It does not say who the task can be shared/consult/forward (etc.) with. The “Add ACL for shared queue” only states whether the task can be viewed in a shared queue, not who gets access to that shared queue. You can use the “Reassignment Restrictions” to specify which group(s) a user can share with/forward to /consult with.

For example, consider the following setup for a task assignment (see image):

A task is assigned to a user based on the XPath expression – let’s say, based on form and process information, it gets assigned to Sarah Rose. The system then checks to see if Sarah is in the Task Access Control List (ACL). In this case she is, and her options say she can share the task. The Task Access Control List (ACL) does not say with whom she can share. The other users in this list (John Jacobs and Kara Bowman) are in the list in case they get assigned the task and the system needs to decide what they can do. The Reassignment Restrictions section tells us that this task can only be shared with the “All principals in Default Domain” group.

Since the “Add ACL for shared queue” is checked, the task will show up in Sarah’s shared queue (if it was not on then it would not show up in her shared queue). This means that if Sarah shares her queue with another user they will see that task in her queue. An important note – the “Add ACL for shared queue” option is not affected by the “Reassignment Restrictions”. In this example; if Sarah shares here queue with Bob Jones who is not in the “All principals in Default Domain” group, then when Bob looks in Sarah’s queue he will see the task.

If we now look at the entry for John Jacobs in the Task Access Control List (ACL) list, we will see that he is not allowed to Share or Consult the task.

This means that if the task was assigned to John, he would not be allowed to share the task or use Workspace to consult with others. He has different permissions than Sarah.